add internal IPA support and revproxy

defaults/main.yml

@@ -34,6 +34,7 @@ gerrit_sshd_threads: "32"
 
 # Gerrit httpd
 gerrit_httpd_listen_url: "proxy-https://127.0.0.1:8080/"
+gerrit_httpd_proxy_url: "http://127.0.0.1:8080/"
 gerrit_referenced_objects_reachable: false
 
 # Gerrit setup
@@ -54,4 +55,7 @@ oauth_client_secret: "NONE"
 # ldap if enabled
 ldap_url_list:
   - ldap://ipa-us-east-2.rockylinux.org
+
+# Use freeipa CA
+tls_use_internal_freeipa: true
 ...

install-gerrit.yml

@@ -5,6 +5,7 @@
   become: true
   vars_files:
     - vars/gerrit.yml
+    - vars/internal.yml
   handlers:
     - import_tasks: handlers/main.yml
 
@@ -43,6 +44,11 @@
         fail_msg: "Please set a proper database password."
       when: not gerrit_allow_insecure_passwords|bool
 
+  roles:
+    - role: rockylinux.ipagetcert
+      state: present
+      when: tls_use_internal_freeipa|bool
+
   tasks:
     - name: Deploy gerrit as needed
       ansible.builtin.import_tasks: tasks/install.yml

roles/requirements.yml

@@ -0,0 +1,7 @@
+---
+# Roles
+roles:
+  - name: rockylinux.ipagetcert
+    src: https://github.com/rocky-linux/ansible-role-ipa-getcert
+    version: main
+...

tasks/install.yml

@@ -2,6 +2,9 @@
 - name: Setup gerrit basics
   ansible.builtin.include_tasks: setup.yml
 
+- name: Install and configure packages
+  ansible.builtin.include_tasks: pkg.yml
+
 - name: Install gerrit
   ansible.builtin.include_tasks: deploy.yml
 ...

tasks/pkg.yml

@@ -0,0 +1,21 @@
+---
+- name: Install packages as needed
+  ansible.builtin.package:
+    name: "{{ installed_packages }}"
+    state: present
+
+- name: Deploy reverse proxy
+  ansible.builtin.template:
+    src: "gerrit.httpd.j2"
+    dest: "/etc/httpd/conf.d/gerrit.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart_httpd
+
+- name: Ensure httpd is enabled and running
+  ansible.builtin.systemd:
+    name: httpd.service
+    state: running
+    enabled: true
+...

templates/gerrit.httpd.j2

@@ -0,0 +1,19 @@
+<VirtualHost *:443>
+  SSLEngine on
+  SSLCertificateFile /etc/pki/tls/certs/{{ ansible_fqdn }}.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ ansible_fqdn }}.key
+  ProxyRequests Off
+  ProxyVia Off
+  ProxyPreserveHost On
+
+  <Proxy *>
+    #Order deny,allow
+    #Allow from all
+    # Use following line instead of the previous two on Apache >= 2.4
+    Require all granted
+  </Proxy>
+
+  AllowEncodedSlashes On
+  ProxyPass / {{ gerrit_httpd_proxy_url }} nocanon
+  #ProxyPassReverse / {{ gerrit_httpd_proxy_url }} nocanon
+</VirtualHost>

vars/internal.yml

@@ -0,0 +1,10 @@
+---
+ipa_getcert_requested_hostnames:
+  - name: "{{ ansible_fqdn }}"
+    owner: apache
+    key_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
+    cert_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
+    postcmd: "/bin/systemctl reload httpd"
+    cnames:
+      - "git.rockylinux.org"
+...